DNS from VPN provider not working [SOLVED]

Installing and Using OpenWrt Network and Wireless Configuration
1

Main question: How to change the DNS to proton (10.2.0.1) without loosing the internet access?

I do use a Cudy WR3000s connected to a Vigor 130 via PPPoe.
When using VPN client functionality for one specific IP as configured in PBR what is working flawless, I still can see from that IP in VPN my local DNS with dnsleaktest.com so I guess I do have a DNS leak :frowning:
Same for ipleak.net it shows me the local provider in WebRTC detection for IPv6. And Yes the IPv4 is pointing to the Proton location.

I thought changing DNS for WAN to Proton DNS may help -> Result Internet access gone, so I cannot use that.
Internet is gone for the whole network not only that one IP what is connected to the VPN client. Any idea what can cause this issue?

That is the setting I changed:

image
image610×788 53.5 KB

2

I know from your earlier threads that you have a VPN (WireGuard running) and that your default route is going via the WAN. This is important as DNSMasq which is providing the DNS is running on your router and will take the default route for all DNS requests.

When you use a DNS server for DNSMasq which is not publicly available (available trough the WAN), such as the one you use (10.2.0.1), then you will not have DNS resolution, you can add routing to route this DNS server via the tunnel but it is still a bad idea for two reasons:
DNS is then only available if the tunnel is up and for the tunnel going up you need DNS (for time and endpoint resolution) so you end up in a catch 22 situation (there are however ways to mitigate this)

But even if you can make this work you still have a DNS leak but then for all your client using the WAN because those are now using DNS via the VPN.

A DNS leak can be defined in multiple ways, the most annoying DNS leak is if the geographical origin of DNS and IP address are different which is caused by a different route of the DNS and IP traffic.
This geographical check is what is done by streaming services, banks, amazon etc. (among other things) to detect VPN use.

So the Solution is to Split DNS.
As default is via the WAN all LAN clients using the WAN are fine.
For the LAN clients using the VPN via PBR you also have to make sure those use the VPN for their DNS.
One way is to use DNS option 6 but it can also be done with PBR DNS Policies.
In your case where you have only a limited number of clients using the VPN use the PBR DNS policy for that client.
See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#policy-based-routing

WebRTC leak is a browser problem which you need to address but that is outside the scope of OpenWRT

3

It sounds so easy :slightly_smiling_face:
You guys are great!!

Unbelievable and all on that little machine running OWRT :oncoming_fist:

I will check if I can get that running, PBR is already up and running and I saw that config for DNS already, was also reading about it in the manual, but that is all not so easy to understand ....

1 Like
4

Is this the right approach, both policies are activated for the same IP/MAC?

image
image891×638 76.9 KB

5

Almost, you have IPv6 active on the client and probably your client also has got an IPv6 DNS address from the router so to prevent an IPv6 DNS leak better make sure you also make a rule for IPv6 DNS.
That is the same rule but with an IPv6 address as you probably do not want IPv6 address you use an IPv6 address of :: which means all zero's

Usually you add an IPv4 and IPv6 DNS server on the WG client interface and then specify this WG client interface as Remote DNS the DNS PBR rule then set both a rule for IPv4 and IPv6

See my notes

6

You mean like that? With that :: I am catching all IPv6 addresses which might occur for that specific MAC?
EDIT: Wait that would mean any IPv6 address doen´t matter what device is using the WGClient, right? What would be OK!

image
image1200×340 44.6 KB

The other way you are describing is just another method, easier to control I assume but where do I add that IPv6 DNS server entry in LUCI?
How to distinguish IPv4 and v6?
This is the relevant tab in LUCI for the WGClient interface > Advanced settings?

image
image631×813 57.8 KB

7

No the local source is the MAC address the same as the already existing rule, the remote destination is the IPv6 DNS address but as we do not want IPv6 resolution as you do not have IPv6 we use a fake IPv6 address which is :: meaning all zero's

below the DNS address you already have.

I use Mullvad which supports IPv6 so I have in the Mullvad interface:
image

I already send you the link and the answers are already there please read it

8

OK adjusted the local source and remote destination will test that in a few minutes

BTW: I was reading your link but didn´t fully understand :frowning:

For the DNS settings in WGClient interface, I did the one entry for proton IPv4 but I don´t have an IPv6 entry cause proton doesn´t offer that.
Should I add here the entry :: and unflag "use default gateway" and this way I don´t need to add DNS PBR rules the in PBR for each device, cause the whole WGClient interface will run via these DNS servers?

image
image497×438 25.2 KB

9

Now Testing on the fire stick.
Unfortunately ipleak.net still shows on the ipv6 the home DNS server.
I am using the Silk browser on the stick to test that

10

Can you send the output of (Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have):

cat /etc/config/network
cat /etc/config/pbr
service pbr restart

Note that many clients cache DNS so for a proper test reboot the firestick

Furthermore the firestick can use private DNS (DoT or DoH) if so disable that

11

What I tried now following your guide, I maintained these DNS settings in the interface wgclient (also device is wgclient) and assigned in PBR policies only one entry per MAC address and assigned as remote DNS wgclient (this is the device)
Result: Not working ignores the VPN completely that way
I maintained as device just wgclient or should that be @wgclient?
(Yes restarted device and PBR and interface)

image
image481×376 20.1 KB

image
image698×197 12.8 KB

Therefore back to the settings as before means one PBR police for IPv4 and two DNS policies for IPv4 and v6.
That is 100% working on the Laptop but isn´t 100% working for the Firestick.
Means IP4 is covered IPv6 not reachable no additional DNS detected, just the WebRTC leak detection on the firestick and I think this is caused by the famous Amazing:-) technology.
I am using to test the SILK browser (no other available) on the stick and additionally I am logged on to my ama... account there.

  1. Do you see any chance to get rid of that WebRTC leak?
  2. Is the VPN protecting me with that WebRTC leak?

This is the config I am using now, below the two config files

image
image1037×486 45.2 KB

br-lan    Link encap:Ethernet  HWaddr 8x0  
          inet6 addr: fx4 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1676518 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3235416 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:363287837 (346.4 MiB)  TX bytes:3635300546 (3.3 GiB)

br-lan.2  Link encap:Ethernet  HWaddr 8x0  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fx9::1/60 Scope:Global
          inet6 addr: 2x0 Scope:Global
          inet6 addr: fx4 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1671989 errors:0 dropped:51349 overruns:0 frame:0
          TX packets:3229297 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:362046877 (345.2 MiB)  TX bytes:3629900692 (3.3 GiB)

br-lan.3  Link encap:Ethernet  HWaddr 8x  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fex4 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4529 errors:0 dropped:2 overruns:0 frame:0
          TX packets:6112 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1240960 (1.1 MiB)  TX bytes:5399108 (5.1 MiB)

eth0      Link encap:Ethernet  HWaddr 8x0  
          inet6 addr: fex4 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:7545921 errors:5 dropped:0 overruns:0 frame:0
          TX packets:5958303 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7130989380 (6.6 GiB)  TX bytes:2956565981 (2.7 GiB)
          Interrupt:75 

lan1      Link encap:Ethernet  HWaddr 8x  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1065598 errors:0 dropped:3 overruns:0 frame:0
          TX packets:2074144 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:237508728 (226.5 MiB)  TX bytes:2278271989 (2.1 GiB)

lan2      Link encap:Ethernet  HWaddr 80x0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2667073 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2239234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3111028997 (2.8 GiB)  TX bytes:188575877 (179.8 MiB)

lan3      Link encap:Ethernet  HWaddr 8x0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:261022 errors:0 dropped:0 overruns:0 frame:0
          TX packets:190244 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:60379195 (57.5 MiB)  TX bytes:116386553 (110.9 MiB)

lan4      Link encap:Ethernet  HWaddr 8x0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:326972 errors:0 dropped:0 overruns:0 frame:0
          TX packets:290175 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:31214509 (29.7 MiB)  TX bytes:27305450 (26.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:15498 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15498 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1775773 (1.6 MiB)  TX bytes:1775773 (1.6 MiB)

phy0-ap0  Link encap:Ethernet  HWaddr 8x0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2706095 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4308221 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:246344674 (234.9 MiB)  TX bytes:4273938995 (3.9 GiB)

phy0-ap1  Link encap:Ethernet  HWaddr x0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1033 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3169 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:352802 (344.5 KiB)  TX bytes:2109586 (2.0 MiB)

phy1-ap0  Link encap:Ethernet  HWaddr 8x1  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:720129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1390247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:64642818 (61.6 MiB)  TX bytes:340742227 (324.9 MiB)

phy1-ap1  Link encap:Ethernet  HWaddr 8x  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1505 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3995 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:577088 (563.5 KiB)  TX bytes:2704767 (2.5 MiB)

pppoe-wan Link encap:Point-to-Point Protocol  
          inet addr:9x3  P-t-P:6x1  Mask:255.255.255.255
          inet6 addr: xxx4 Scope:Global
          inet6 addr: fxxx8 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:3214445 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1158027 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:3588691766 (3.3 GiB)  TX bytes:268783770 (256.3 MiB)

wan       Link encap:Ethernet  HWaddr 8xx1  
          inet6 addr: fx4 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3225256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1163938 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3660674267 (3.4 GiB)  TX bytes:294494338 (280.8 MiB)

wgclient  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.2.0.2  P-t-P:10.2.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1412  Metric:1
          RX packets:10708 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9709296 (9.2 MiB)  TX bytes:1416344 (1.3 MiB)

wgserver  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.22.22.1  P-t-P:172.22.22.1  Mask:255.255.255.0
          inet6 addr: xxx8 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:1515 errors:18 dropped:0 overruns:0 frame:18
          TX packets:1466 errors:0 dropped:797 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:269460 (263.1 KiB)  TX bytes:436988 (426.7 KiB)

root@Diele:/etc/config# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fxxx8'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option ipv6 'auto'
	option username '00xxx'
	option password '3xxx'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan2:t'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key '4xxx0='
	option listen_port '55443'
	list addresses '172.22.22.1/24'
	list addresses 'fd53:63ef:2e2d::/48'

config wireguard_wgserver
	option description 'My Peer'
	option public_key 'pxxxz4='
	option private_key 'UCxxxlo='
	option route_allowed_ips '1'
	option endpoint_port '55443'
	option persistent_keepalive '25'
	list allowed_ips '172.22.22.2/32'

config wireguard_wgserver
	option description 'Tobi Peer'
	option public_key 'xxx='
	option private_key 'yxxxGs='
	option route_allowed_ips '1'
	option endpoint_port '55443'
	option persistent_keepalive '25'
	list allowed_ips '172.22.22.3/32'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key 'gAxxxg='
	list addresses '10.2.0.2/32'
	option mtu '1412'
	list dns '10.2.0.1'
	list dns '::'

config wireguard_wgclient
	option description 'Imported peer configuration'
	option public_key 'nxxxnk='
	option persistent_keepalive '25'
	option endpoint_host '190.2.148.229'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	list allowed_ips '::/1'
	list allowed_ips '8000::/1'

root@Diele:/etc/config# cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'FireCube&Laptop IPv4'
	option src_addr '0xxx'
	option dest_dns '10.2.0.1'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'FireCube 192.168.2.133/24'
	option src_addr 'xxx'
	option interface 'wgclient'
	option enabled '0'

config dns_policy
	option name 'FireCube&Laptop IPv6'
	option src_addr 'xxx'
	option dest_dns '::'

config policy
	option name 'Test'
	option src_addr 'xxx'
	option dest_addr '::'
	option interface 'wgclient'
	option enabled '0'

config dns_policy
	option name 'wgclient as remote DNS'
	option dest_dns 'wgclient'
	option src_addr 'xxx'
	option enabled '0'

config policy
	option name 'Notebook Test'
	option src_addr 'xxx'
	option interface 'wgclient'
12

For Remote DNS you use the dropdown box to choose the wgclient from the dropdown menu but the box should show wgclient indeed.
As the Local address contains the MAC address of the client and the MAC address is both IPv4 and IPv6 and the Remote DNS is the wgclient interface which also holds an IPv4 DNS server and an IPv6 DNS server you should have two rules automatically made in the firewall, one for IPv4 and IPv6

But If I understand you correctly the separate rules work and so I consider your problem as solved :slight_smile:
Therefore I am not going to look further into it also because it works for me with one rule (I duplicated your setup with a proton client)
It might be because you are using an older PBR client but I guess we will never know.

About WebRTC leak that is a browser related problem.

Most browsers can disable WebRTC or you can use an Add-on for the browser to disable WebRTC.
I think you can disable it for FireFox and Brave browsers not sure about Chrome for Android but this is outside the scope of this thread and outside the OpenWRT scope.

1 Like